Skip to content

Security Programs

Infosec

Link Notes
Information Security Services functions Each section within the Information Security Services function is compromised of numerous departments, each with their own functions to support the larger department
Early Security for Startups What should a startup without a security team do for security?

Product / DevOps

Link Notes
Netflix The Paved Road at Netflix
Netflix Netflix Culture Meets Product Security
  1. Security is the responsibility of each individual product team
  2. Security is the responsibility of the security team
Netflix Scaling Appsec at Netflix
  1. Operational Appsec capabilities: traditional Appsec activities
  2. Security Partnerships: driving holistic security improvements to drive down risk
  3. Appsec Automation: build a comprehensive app inventory and enable self-service security guidance
Cruise Building a Container Platform at Cruise Environments & Tenants, Infrastructure Boundaries, Platform Boundaries
Cruise Container Platform Security at Cruise Identity, Authentication, Authorization, Secrets, Encryption
Cruise Container Platform Networking at Cruise GCP Hybrid Connectivity Options
Security maturity levels of Product Security Teams Grouping dev teams into 4 security maturity levels
Cloudflare Startup Security: Starting a Security Program at a Startup
  1. Relationships
  2. Security Culture
  3. Compromise and Continuous Improvement
Compliance in a DevOps Culture Integrating the necessary Security Controls and Audit capabilities to satisfy Compliance requirements within a DevOps culture can capitalize on CI/CD pipeline automation, but presents unique challenges as an organization scales

AppSec Specific

Link Notes
An opinionated guide to scaling your company's security Clint's talk summarising approaches from multiple companies
Uber The Path to Code Provenance Strategy for ensuring we have a verifiable attestation of the origin of all code running in production
Beyond The Security Team
Implement Security Champions Programme Main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes
How we run our bug bounty program at Segment
A Guide to Threat Modelling for Developers Clear and simple steps to help teams that want to adopt threat modelling
Awesome Threat Modeling
Appsec Development: Keeping it all together at scale
  1. Project Risk assessment: Help teams manage risk to their timeline and help security schedule penetration tests
  2. Security Impact Assessment: Let teams quickly exit the review process without the need for peer review
  3. Risk Assessment: Identify potentially risky items with peer review
  4. Threat Model: Analyze risky designs and create mitigations
Creating Security Decision Trees With Graphviz
Democratizing Security: Application Security Scanning How to build an application and cloud security automation program
Building a SAST program at Razorpay’s scale No single tool or technique can identify all security defects in an application. Part of building a mature Security program is to use a number of techniques to find security defects
Best practices on rolling out code scanning at enterprise scale Some best practices on how to roll out centrally managed, developer-centric application security with a third party CI/CD system like Jenkins or ADO
How DoorDash Ensures Velocity and Reliability through Policy Automation How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments
The Art of Vulnerability Management How to create a positive vulnerability management culture and process that works for engineers and the security team
Vulnerability Scanning at Palantir /how Palantir streamlines and automates vulnerability remediation efforts
Security Drone: Scaling Continuous Security at Revolut How Revolut uses a custom system to scale and improve their continuous security scanning

Teams

Link Notes
The Actual Cybersecurity Workforce Challenge There is a cybersecurity skills crisis, but the answer is not to simply focus on creating more trained cybersecurity professionals

Risk / Compliance

Link Notes
The SOC2 Starting Seven 7 things you can do now that will simplify SOC2 for you down the road while making security posture materially better in the immediacy
SOC2: The Screenshots Will Continue Until Security Improves A great post explaining what SOC2 is and how it works
Everything and Anything You Need To Know About SOC 2 A high-level overview of SOC2
Cybersecurity and the Board : A Fresh Perspective? How to represent cybersecurity (or technology / information risks more generally) to the Board
Prioritizing Cloud Risk Requires Context to be Effective Prioritizing risk mitigation based on CIS output alone misses something critical: organizational context
Open-Sourcing riskquant, a library for quantifying risk
Experimenting with visualizations and code risk overview

Checklists